Security Wonks Find Gaping Hole in Trusted Site System

An international group of independent security researchers announced Tuesday that they have found a significant weakness in the Internet digital certificate infrastructure used by many Internet businesses. The flaw could conceivably allow cybercriminals to create fake certificates that would then be accepted and trusted by many widely used Internet browsers.

The purported weakness could enable a hacker to impersonate secure Web sites and e-mail servers to launch virtually undetectable phishing attacks, according to the researchers from California, the Netherlands and Switzerland.

The concern is that this bit of technology, known as "Secure Sockets Layer" (SSL), is what banks and other financial institutions as well as online retailers and e-commerce sites use to maintain the security of their transactions.

"The major browsers and Internet players -- such as Mozilla and Microsoft (Nasdaq: MSFT) -- have been contacted to inform them of our discovery and some have already taken action to better protect their users," reassures Arjen Lenstra, head of EPFL's Laboratory for Cryptologic Algorithms.

"To prevent any damage from occurring, the certificate we created had a validity of only one month -- August 2004 -- which expired more than four years ago. The only objective of our research was to stimulate better Internet security with adequate protocols that provide the necessary security," he added.

Weakened Net

Internet users may sometimes notice a small padlock icon that appears at the bottom of the browser when they visit certain Web sites. The icon provides users with assurance that the site they are visiting is secured using a digital certificate issued by the one of a few Certification Authorities (CAs). The certificates act as voucher, enabling the browser to verify its signature using standard cryptographic algorithms.

That's where researchers discovered the weakness. One of the algorithms, MD5, can apparently be used to forge certificates. This, according to the researchers, demonstrates that "a critical part of the Internet's infrastructure is not safe."

Previous MD5 Concerns

This, however, is not the first report of a problem with MD5. In 2004, a team of Chinese researchers presented findings that they were able to conduct a "collision attack," the process of finding two arbitrary values whose hashes collide, and were able to create two separate messages with the same digital signature. Although the Chinese effort was severely limited, another much stronger collision construction was announced in May 2007 by researchers elsewhere.

"It's been known about four years, and there are other certificate policies that could be used. Consumers should know that they can't really trust any site," said Avivah Litan, an analyst at Gartner (NYSE: IT) Research.

Criminals, she told TechNewsWorld, have been successful at launching phishing attacks even without the certificates.

"They don't really need it, and they just keep making more methods that allow them to pose as a legitimate site. [Forging SSL certificates] is a lot of work for very little reward. But it's still not good news that the Internet's security structure is flawed," Litan said.

While Litan said it will take an act of Congress to make the Internet more secure, there are simple measures consumers can implement to better safeguard their financial data.

"The basic step they can take is not to fall for phishing attacks ... You just have to be savvy, never give your PIN (personal identification number) and bank account number away," Litan noted.

Consumers should also be aware and learn how to recognize false forms.

"No retailer is every going to ask for your driver's license, DOB (date of birth), bank account number, etc. Make sure your bank has a policy to protect you. Don't shop at a retailer you're not sure about, and don't use ATMs in the middle of nowhere, don't enter your PIN at a gas station. I only use bank ATMs, never convenience stores, airports, malls, etc. I avoid giving my PIN away even though that's supposed to be more secure. That's the best you can do, and don't give away information that they don't need," she concluded.